New Windows RDP bug shocks people. This newly discovered quirk in Windows Remote Desktop Protocol (RDP) is raising eyebrows among security professionals: users can log in with expired or previously changed passwords. The weirdest part – Microsoft doesn’t consider it a bug.
What is This Windows RDP Bug?
The issue arises when users log into Windows via RDP using Microsoft or Azure AD accounts. Windows caches encrypted versions of user credentials locally. Once stored, these cached credentials can be used to log in via RDP, even if the account password has since been changed or revoked in the cloud.
In some cases, users report that multiple previous passwords still work, while the most recent one does not. This behavior undermines one of the core principles of account security: that changing a password revokes all prior access.
Security Implications
The cached-password mechanism can be exploited to bypass:
- Cloud-based password verification
- Multifactor authentication (MFA)
- Conditional Access policies
If an attacker gains access to old credentials, they could potentially use RDP to access systems long after passwords were reset, creating a stealthy, persistent backdoor.
Microsoft’s Position
Microsoft has acknowledged the behavior but insists it is not a vulnerability. According to the company, it’s intentional: the design ensures that at least one user can log in to a machine that’s been offline or disconnected from the network for a long time.
Instead of issuing a patch, Microsoft updated its documentation to reflect this behavior, but it has not offered comprehensive guidance for system administrators looking to mitigate the risk.
Expert Reactions
Many IT professionals find this behavior counterintuitive from a security standpoint. The expectation is that once a password is changed, any previously valid ones should be invalidated immediately, especially when cloud-based authentication and security policies are in place.
The fact that older credentials can still grant RDP access raises concerns about potential misuse and the overall reliability of password-based protections in hybrid or cloud-connected environments.
What Can You Do?
Although Microsoft isn’t planning a fix, admins can take steps to reduce risk:
- Restrict RDP Access: Limit RDP to internal networks or use VPNs.
- Enforce MFA and Conditional Access: Even if not foolproof here, these are still good practice.
- Disable Credential Caching: Consider using Group Policy to prevent caching of credentials, especially on sensitive systems.
- Monitor RDP Logs: Review remote access logs for unusual activity or successful logins with known-old credentials.
- Encourage Regular Password Changes: And notify users that old credentials may still pose a risk.
Final Thoughts
This RDP credential caching behavior walks a fine line between usability and security. While it serves a purpose in offline environments, it inadvertently introduces significant risk in connected ones. Until Microsoft offers more robust controls or changes the behavior, system administrators must stay vigilant and consider defense-in-depth strategies to minimize exposure. At the end of the day, this Windows RDP bug surprised a lot of IT experts.
